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DETAILED ACTION 

This final action is in response to the amendment filed on 04/18/2007. Claims 1-1 1 are 
pending and have been considered as follows. 

Claim Rejections - 35 USC§ 101 

1. 35 U.S.C. 101 reads as follows: 

Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or 
any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and 
requirements of this title. 

- Claim 10 is rejected under 35 U.S.C. 101 because the claimed invention is directed to 
non-statutory subject matter. In claim 10, the applicant is claiming a computer program 
and what appears to either be another computer program or data which is non-statutory 
subject matter as in accordance to 35 U.S.C. 101. 

Claim Rejections - 35 USC§ 102 

2. The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the 
basis for the rejections under this section made in this Office action: 

A person shall be entitled to a patent unless - 

(b) the invention was patented or described in a printed publication in this or a foreign country or in public use or on 
sale in this country, more than one year prior to the date of application for patent in the United States. 

3. Claims 1-5, 7-1 1 are rejected under 35 U.S.C. 102(b) as being anticipated by Dutcher 
(US-6021496-A). 



J/ 
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Claim 1: 

Dutcher discloses a method for logging a new user into a data processing device with an 
operating system and an accessible element that is at least one of an application program and 
sensitive data, comprising, 

- "endinq a first user's access to the accessible element without unloading or restarting the 
accessible element" (i.e. "the maintenance of user accounts occurs as part of the user 
logging off form the Windows NT client which is a positive outcome at step 106 of FIG. 
1 1 . At logoff, the user account is checked to determine if it is to be managed by the 
invention. This is determined by checking to see if the user is part of the Roaming Users 
group on the Windows NT client") [column 12 lines 8-14]; 

- "determining authentication data for authenticating a usef (i.e. "In this known technique, 
flie gina module 15 tightly controls the locations that are available for authentication to 
include the local NT workstation itself, the remote NT server 12a, and any other servers 
that are "tmsted" by the NT server that the client is configured against. Generally, only 
these options are shown to the user seeking authentication, and there are no interfaces 
available to enable the user to be authenticated firom non-native server domains. The 
present invention addresses this problem") [column 5 lines 22-30]; 

- "defining an identity and access rights depending on the authentication data" (i.e. "Thus, 
according to a primary goal of the present invention, the homogeneous NT client-server 
environment is uncoupled so that a user of a Windows NT client (by way of example 
only) may be authenticated by a non-native server. With respect to authentication of the 
Windows NT client, the client-server environment is "heterogeneous." Authentication at 
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the client gives the user access to resources on the client system, and when this is done 
via an account definition held at a server, it also gives the user access to resources at the 
server network via a single logon. The present invention thus enables a user to select a 
particular location against which he or she desires to be authenticated. Thus, the user's 
account information may be retained at the non-native server domain in addition to (or 
instead of) the Windows NT server normally coupled to the Windows NT client in a 
closed manner. The user's single userid and password are then held out at a non-native 
server, such as a Warp Server, a DCE cell, or the like. This information may also be 
retained at a native server domain") [colunm 6 lines 1-18]; 
- "providing access, depending on the defined access rights, for at least one of the 
application program and sensitive data" (i.e. "Thus, according to a primary goal of the 
present invention, the homogeneous NT client-server environment is uncoupled so that a 
user of a Windows NT client (by way of example only) may be authenticated by a non- 
native server. With respect to authentication of the Windows NT client, the client-server 
environment is "heterogeneous." Authentication at the client gives the user access to 
resources on the client system, and when this is done via an account definition held at a 
server, it also gives the user access to resources at the server network via a single logon. 
The present invention thus enables a user to select a particular location against which he 
or she desires to be authenticated. Thus, the user's account information may be retained 
at the non-native server domain in addition to (or instead of) the Windows NT server 
normally coupled to the Windows NT client in a closed manner. The user's single userid 
and password are then held out at a non-native server, such as a Warp Server, a DCE cell. 
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or the like. This information may also be retained at a native server domain") [column 6 
lines 1-18]; 

- "the method being independent of restarting the operating system or the application 
program" (i.e. "Referring now to FIG. 12, a block diagram is shown of the preferred 
architecture of the present invention, gina module 15* (ibmgina.dll) exports a set of 
functions 120 (also referred to as WIx* functions) required to support the WinLogon 
process. This module also controls the visual elements of the interface including 
displaying the logon panel, collecting the userid and password from the user, displaying 
messages, etc. To actually perform the work of authentication, the gina module 15' issues 
calls to the domain manager 122, which is implemented by dm.dll 124. The domain 
manager 122 provides the framework that support multiple authentication providers 
(domain drivers) at the same time. It accepts requests from the gina module ibmgina.dll, 
determines the appropriate domain driver to handle tiie request, and then routes the 
request to the domain driver to actually perform the work. The domain manager 122 also 
manages dynamically-created local accounts when performing a non-native logon so that 
the user has the proper security context on his or her workstation when logged on to the 
server. This frees the domain drivers from re-implementing the same function so that they 
can concentrate on providing code that is unique to the driver") [column 14 lines 17-38]. 
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Claim 2: 

Dutcher discloses a method for logging a new user into a data processing device as in Claim 1 

above, and further discloses, 

- "displaying a user interface, depending on the defined access rights" (i.e. "Following 
selection of a domain, the user is then authenticated at step 38. Such authentication may 
be at a native or non-native server according to the present invention. Typically, this 
authentication is a process in which the userid and password are provided to a user 
account database for validation. Upon successful validation, a positive confirmation is 
received for the authentication and the user processing is allowed to continue. Thereafter, 
at step 40, when authentication is at a non-native server, a "local" user account is created 
dynamically (or, alternatively, updated if the user account already exists) at the client 
machine. This is a Windows NT account in the preferred embodiment. At step 42, the NT 
user profile is retrieved and established at the client to enable the user to initialize a 
personal "desktop" and to implement certain access "preferences" at the cHent. The "user 
profile" (which normally differs firom the "user account" described above) thus preferably 
includes, without limitation, a desktop definition and a set of preferences for the user. A 
user profile is created as the user changes appearance and preferences while using the 
client. Thus, for example, the display screen format is accessed and altered through 
known techniques (e.g., the Windows '95 desktop "Preferences")") [column 6 lines 43- 
65]; 
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- "performing a user switch process step that causes the method to begin again at the first 
step" (i.e. "By supporting "user profiles," the invention provides desktop and 
environment consistency. Instead of having a single user tied to a single workstation with 
iheir own preferences, the users can be "roaming users" that utilize any of a set of 
workstations. This also supports multiple users being able to get their unique desktops on 
a single NT client. Further, when the user account is established, the user may become a 
member of groups having access privileges. These privileges are typically set by system 
policies that control the functions clients are able to execute. With policies, server 
administrators can centrally control what users can do on a particular set of servers") 
[column 13 lines 51-62]; 

- "content of a user interface remaining unchanged until access rights have been defined 
again" (i.e. "The routine begins at step 106 to determine whether the user account is to be 
cleaned up. Step 106 has a positive outcome at logoff, but there may be other occasions 
when the user is still logged on when it will be desirable to implement the routine. If the 
outcome of the test at step 106 is negative, the routine cycles. Upon a positive outcome, 
however, the routine executes a test at step 108 to determine whether the user account 
should be maintained. If so, a second test is performed at step 1 10 to determine whether 
the account should be maintained but disabled. If the outcome of the test at step 1 10 is 
negative, the account information is retained on the machine as active at step 1 12. If the 
result of the test at step 1 10 is positive, the account is maintained but disabled at step 1 14. 
If, however, the outcome of the test at step 108 is negative, the user account is deleted at 
step 1 16 and the routine terminates") [column 1 1 lines 26-41]. 
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Claim 3: 

Dutcher discloses a method for logging a new user into a data processing device as in Claim 2 

above, and further discloses, 

- "content of the user interface is reduced if the renewed definition of access rights defines 
a more limited scope than the previous definition allowed" (i.e. "The routine begins at 
step 106 to determine whether the user account is to be cleaned up. Step 106 has a 
positive outcome at logoff, but there may be other occasions when the user is still logged 
on when it will be desirable to implement the routine. If the outcome of the test at step 
106 is negative, the routine cycles. Upon a positive outcome, however, the routine 
executes a test at step 108 to determine whether the user account should be maintained. If 
so, a second test is performed at step 1 10 to determine whether the account should be 
maintained but disabled. If the outcome of the test at step 1 10 is negative, the account 
information is retained on the machine as active at step 1 12. If flie result of the test at step 
1 10 is positive, the account is maintained but disabled at step 114. If, however, the 
outcome of the test at step 108 is negative, the user account is deleted at step 116 and the 
routine terminates") [column 1 1 lines 26-41]. 

Claim 4: 

Dutcher discloses a method for logging a new user into a data processing device as in Claim 3 
above, and further discloses, 

\ 
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- "generating warning message indicating a reduction in content and that the user has an 
opportunity to begin the method at the first step again before reduction" (i.e. 
"WIxDisplayLockedNotice 0~displays the "locked workstation" notice") [column 15 
lines 27-28]. 

Claim 5: 

Dutcher discloses a method for logging a new user into a data processing device as in Claim 1 
above, and further discloses, 

- "displaying a user interface in accordance with the access rights that are defined" (i.e. 
"Following selection of a domain, the user is then authenticated at step 38. Such 
auflientication may be at a native or non-native server according to the present invention. 
Typically, this authentication is a process in which the userid and password are provided 
to a user account database for validation. Upon successful validation, a positive 
confirmation is received for the authentication and the user processing is allowed to 
continue. Thereafter, at step 40, when authentication is at a non-native server, a "local" 
user account is created dynamically (or, alternatively, updated if the user account already 
exists) at the client machine. This is a Windows NT account in the preferred embodiment. 
At step 42, the NT user profile is retrieved and established at the client to enable the user 
to initialize a personal "desktop" and to implement certain access "preferences" at the 
client. The "user profile" (which normally differs from the "user account" described 
above) tfius preferably includes, without limitation, a desktop definition and a set of 
preferences for the user. A user profile is created as the user changes appearance and 
preferences while using the client. Thus, for example, the display screen format is 
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accessed and altered through known techniques (e.g., the Windows '95 desktop 
"Preferences")") [column 6 lines 43-65]; 

- "deleting, by a User Logout procedure, content of a user interface" (i.e. "The routine 
begins at step 106 to determine whether the user account is to be cleaned up. Step 106 has 
a positive outcome at logoff, but there may be other occasions when the user is still 
logged on when it will be desirable to implement the routine. If the outcome of the test at 
step 106 is negative, the routine cycles. Upon a positive outcome, however, the routine 
executes a test at step 108 to determine whether the user account should be maintained. If 
so, a second test is performed at step 1 10 to determine whether the account should be 
maintained but disabled. If the outcome of the test at step 1 10 is negative, the account 
information is retained on the machine as active at step 1 12. If the result of the test at step 
1 10 is positive, the account is maintained but disabled at step 1 14. If, however, the 
outcome of the test at step 108 is negative, the user account is deleted at step 116 and the 
routine terminates") [column 1 1 lines 26-41]; 

- "starting the method from the first step again" (i.e. "Turning now to FIG. 8, a flowchart is 
shown of the next step according to the present invention, namely, the establishment of a 
user account at the client. This was step 40 in FIG. 4. The user account is dynamically 
established at the client machine in a format of the native operating system. Thus, in the 
preferred embodiment, a Windows NT user account is established at the client machine 
after authentication (which may be, as noted above, from a non-native server domain). 
The routine to dynamically create an NT user begins at step 84 to test whether 
notification of a successful authentication has been received from the server. If the 
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outcome of the test at step 84 is negative, the routine cycles. If, however, the outcome of 
the test at step 84 is positive, the routine continues to create a new NT user on that 
machine (or update an existing account) at step 85 and to associate a set of access rights 
to the new (or updated) user account. To this end, the routine continues at step 86 by 
issuing a request to the server (at which the client was authenticated) to retrieve unique 
user information and, further, to identify each group in which the user is a member. 
Although not meant to be limiting, a particular "group" is merely a collection of users 
that have defined access rights according to some policy. The group information is a 
convenient mechanism to define the user's privileges with respect to information 
available from the server. At step 88, the unique user information and group information 
associated with the authenticated user is retrieved from the server. At step 90, a 
representation of the "groups" is set up at the client machine. These local "groups" mirror 
flieir counterparts on the server. The routine then continues at step 92 to make the user a 
member of the local groups. This is achieved by linking the user account to the local 
group information in a data structure. This completes the processing") [column 9 lines 
39-67 & colunm 10 lines 1-4]. 
Claim 7: 

Dutcher discloses a method for logging a new user into a data processing device as in Claim 1 
above, and further discloses. 
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- "activating a screen saver by a defined condition to make a user interface illegible" (i.e. 
"WIxscreenSaverNotify 0~handles screen saver display request") [column 15 lines 33- 
34]; 

- "beginning the method from the first step again" (i.e. "WIxscreenSaverNotify Q-handles 
screen saver display request") [column 15 lines 33-34]. 

Claim 8: 

Dutcher discloses a method for logging a new user into a data processing device as in Claim 7 
above, and further discloses, 

- "defined condition is some amoimt of elapsed time" (i.e. "WIxscreenSaverNotify Q— 
handles screen saver display request") [column 15 lines 33-34]. 

Claim 9: 

Dutcher discloses a method for logging a new user into a data processing device as in Claim 1 
above, and further discloses, 

- "blocking all access rights based upon a failed attempt to authenticate a user in the first 
step" (i.e. "Turning now to FIG. 8, a flowchart is shown of the next step according to the 
present invention, namely, the establishment of a user account at the client. This was step 
40 in FIG. 4. The user account is dynamically established at the client machine in a 
format of the native operating system. Thus, in the preferred embodiment, a Windows NT 
user account is established at the client machine after authentication (which may be, as 
noted above, from a non-native server domain). The routine to dynamically create an NT 
user begins at step 84 to test whether notification of a successful authentication has been 
received from the server. If the outcome of the test at step 84 is negative, the routine 
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cycles. If, however, the outcome of the test at step 84 is positive, the routine continues to 
create a new NT user on that machine (or update an existing account) at step 85 and to 
associate a set of access rights to the new (or updated) user account. To this end, the 
routine continues at step 86 by issuing a request to the server (at which the client was 
authenticated) to retrieve unique user information and, further, to identify each group in 
which the user is a member. Although not meant to be limiting, a particular "group" is 
merely a collection of users that have defined access rights according to some policy. The 
group information is a convenient mechanism to define the user's privileges with respect 
to information available from the server. At step 88, the unique user information and 
group information associated with the authenticated user is retrieved from the server. At 
step 90, a representation of the "groups" is set up at the client machine. These local 
"groups" mirror their counterparts on the server. The routine then continues at step 92 to 
make the user a member of the local groups. This is achieved by linking the user account 
to the local group information in a data structure. This completes the processing") 
[column 9 lines 39-67 & colunm 10 lines 1-4]. 
Claim 10: 

Dutcher discloses a computer system, comprising, 

- "an accessible element that is at least one of an application program and sensitive data 
that is accessible by a first user and a subsequent second user without unloading or 
restarting the accessible element" (i.e. "One of the preferred implementations of the 
invention is a client application, namely, a set of instructions (program code) in a code 
module which may, for example, be resident in the random access memory of the 
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computer. Until required by the computer, the set of instructions may be stored in another 
computer memory, for example, in a hard disk drive, or in a removable memory such as 
an optical disk (for eventual use in a CD ROM) or floppy disk (for eventual use in a 
floppy disk drive), or downloaded via the Intemet or other computer network. Thus, the 
present invention may be implemented as a computer program product for use in a 
computer") [column 12 lines 65-67 & column 13 lines 1-15]; 
- "a program stored in a memory element of the computer comprising a software module or 
algorithm for determining authentication data for authenticating the second user with 
respect to the accessible element, a software module or algorithm for defining an identity 
and access rights depending on the authentication data, and a software module or 
algorithm for providing access, depending on the defined access rights, for the accessible 
element" (i.e. "an accessible element that is at least one of an application program and 
sensitive data that is accessible by a first user and a subsequent second user without 
unloading or restarting the accessible element" (i.e. "One of the preferred 
implementations of the invention is a client application, namely, a set of instructions 
(program code) in a code module which may, for example, be resident in the random 
access memory of flie computer. Until required by the computer, the set of instructions 
may be stored in anodier computer memory, for example, in a hard disk drive, or in a 
removable memory such as an optical disk (for eventual use in a CD ROM) or floppy 
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disk (for eventual use in a floppy disk drive), or downloaded via the Internet or other 
computer network. Thus, the present invention may be implemented as a computer 
program product for use in a computer") [column 12 lines 65-67 & column 13 lines 1- 
15]. 
Claim 11: 

Dutcher discloses a computer readable data storage media having a program, comprising, 

- "a software module or algorithm for determining autfientication data for authenticating a 
user into a data processing deAace with an operating system and an accessible element 
that is at least one of an application program and sensitive data" (i.e. "In the prior art, a 
user of a Windows NT client 10a is typically authenticated by a Windows NT server 12a 
as shown in FIG. 2. This proprietary client-server linkage is created by the fact that both 
the client and server run the same operating system (e.g., Microsoft Windows NT 4.0) 
and use an undocumented set of interfaces for the ftinction of user authentication") 
[column 4 lines 66-67 & colunm 5 lines 1-5]; 

- "a software module or algorithm for defining an identity and access rights depending on 
the authentication data" (i.e. "In the prior art, a user of a Windows NT client 10a is 
typically authenticated by a Windows NT server 12a as shown in FIG. 2. This proprietary 
client-server linkage is created by the fact that both the client and server run the same 
operating system (e.g., Microsoft Windows NT 4.0) and use an undocumented set of 
interfaces for the ftinction of user authentication") [column 4 lines 66-67 & column 5 
lines 1-5]; 
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- "a software module or algorithm for providing access by the user, depending on the 
defined access rights, for the accessible element subsequent to an access of the accessible 
element by a prior first user without unloading or restarting the accessible element" (i.e. 
"In the prior art, a user of a Windows NT client 10a is typically authenticated by a 
Windows NT server 12a as shown in FIG. 2. This proprietary client-server linkage is 
created by the fact that both the client and server run the same operating system (e.g., 
Microsoft Windows NT 4.0) and use an undocumented set of interfaces for the fiinction 
of user authentication") [column 4 lines 66-67 & column 5 lines 1-5], 



Claim Rejections - 35 USC§ 103 

4. The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all 
obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set forth in 
section 1 02 of this title, if the differences between the subject matter sought to be patented and the prior art are 
such that the subject matter as a whole would have been obvious at the time the invention was made to a person 
having ordinary skill in the art to which said subject matter pertains. Patentability shall not be negatived by the 
manner in which the invention was made. 

5. Claim 6 is rejected under 35 U.S.C. 103(a) as being unpatentable over Dutcher (US- 
6021496-A) and in fiirther view of Win (US-6161 139-A). 

Claim 6: 

Dutcher discloses the method as in claim 1 above, but does not disclose, 

- "logging all access to the application program and all access to the sensitive data together 
with the respectively defined identity" 
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however, Win does disclose, 

- "For each login attempt, the Login Tracking Service logs the user's login activity. It saves 
the time of last successful and unsuccessful logins and number of consecutive, 
unsuccessful login attempts. The last successful and unsuccessful login times are 
displayed to the user after each successful login. Users can thus detect if someone else 
has attempted to use their account" [column 9 lines 46-52]; 
Therefore, it would have been obvious to one having ordinary skill in the art at the time of the 
applicant's invention to have logging applied to Dutcher*s invention for the purposes of tracking 
various aspects for security, debugging, and/or troubleshooting since the invention as disclosed 
by Win entails a network with user logins, where a log or tracker service keeps record of the user 
activity as is being claimed by the applicant. 

Response to Arguments 

6. Applicant's arguments filed 04/1 8/2007 have been fully considered but they are not 
persuasive. Applicant's arguments regarding independent Claims 1-5 & 7-9 have been 
considered above in the standing 35 U.S.C. 102(b) rejections and are non-persuasive. It is noted 
that any computer system comprising user logon and authentication on a network comprises at 
least two or more users, hence the definition of a computer network. Applicant's arguments 
regarding Claim 6 have been considered above in the standing 35 U.S.C 103(a) rejection and is 
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non-persuasive. Win discloses a "Login Tracking Service'' that "logs the user's login activity," 
in a computer network environment witii users. This is equivalent to the applicant's "logging," 
which also operates iii a similar environment and logs similar information pertaining to the user's 
activity. 

7, THIS ACTION IS MADE FINAL. Applicant is reminded of the extension of time 
policy as set forth in 37 CFR 1.1 36(a). 

A shortened statutory period for reply to this final action is set to expire THREE 
MONTHS firom the mailing date of this action. In the event a first reply is filed within TWO 
MONTHS of the mailing date of this final action and the advisory action is not mailed until after 
the end of the THREE-MONTH shortened statutory period, then the shortened statutory period 
will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 
CFR 1 .136(a) will be calculated firom tfie mailing date of the advisory action. In no event, 
however, will the statutory period for reply expire later than SIX MONTHS from the mailing 
date of this final action. 

Conclusion 

8. Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to Examiner Oscar Louie whose telephone number is 571-270-1684. 
The examiner can normally be reached Monday through Thursday from 7:30 AM to 4:00 PM. 
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If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, James Myhre, can be reached at 571-270-1065. The fax phone number for Formal or 
Official faxes to Technology Center 2100 is 571-273-8300. 

Information regarding the status of an application may be obtained from the Patent 
Application Information Retrieval (PAIR) system. Status information for published applications 
may be obtained from either Private PAIR or Public PAIR. Status information for unpublished 
applications is available through Private PAIR only. For more information about the PAIR 
system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private 
PAIR system, contact the Electronic Busmess Center (EBC) at 866-217-9197 (toll-free). If you 
would like assistance from a USPTO Customer Service Representative or access to the 
automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. 
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